[instcombine] Fix oss-fuzz 39934 (mul matcher can match non-instruction)

Fixes a crash observed by oss-fuzz in 39934. Issue at hand is that code expects a pattern match on m_Mul to imply the operand is a mul instruction, however mul constexprs are also valid here.
2021-10-23 18:07:21 -07:00 · 2021-10-23 18:07:21 -07:00 · 3c06ecaa1e
parent 850217686e
commit 3c06ecaa1e
2 changed files with 10 additions and 2 deletions
--- a/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
+++ b/llvm/lib/Transforms/InstCombine/InstCombineCompares.cpp
@ -4184,8 +4184,8 @@ Instruction *InstCombinerImpl::foldICmpBinOp(ICmpInst &I,
    if (match(Op0, m_Mul(m_Value(X), m_APInt(C))) && *C != 0 &&
        match(Op1, m_Mul(m_Value(Y), m_SpecificInt(*C))) && I.isEquality())
      if (!C->countTrailingZeros() ||
-          (BO0->hasNoSignedWrap() && BO1->hasNoSignedWrap()) ||
-          (BO0->hasNoUnsignedWrap() && BO1->hasNoUnsignedWrap()))
+          (BO0 && BO1 && BO0->hasNoSignedWrap() && BO1->hasNoSignedWrap()) ||
+          (BO0 && BO1 && BO0->hasNoUnsignedWrap() && BO1->hasNoUnsignedWrap()))
      return new ICmpInst(Pred, X, Y);
  }

--- a/llvm/test/Transforms/InstCombine/icmp-mul.ll
+++ b/llvm/test/Transforms/InstCombine/icmp-mul.ll
@ -668,3 +668,11 @@ define <2 x i1> @eq_mul_constants_with_tz_splat(<2 x i32> %x, <2 x i32> %y) {
  %C = icmp eq <2 x i32> %A, %B
  ret <2 x i1> %C
 }
+
+@g = extern_weak global i32
+
+define i1 @oss_fuzz_39934(i32 %arg) {
+  %B13 = mul nsw i32 %arg, -65536
+  %C10 = icmp ne i32 mul (i32 or (i32 zext (i1 icmp eq (i32* @g, i32* null) to i32), i32 65537), i32 -65536), %B13
+  ret i1 %C10
+}